from the guess-what-that-means dept

In September 2013, in response to a question from Senator Chuck Grassley, the NSA revealed the 12 known cases it had on record over the past decade or so of intentional abuses of the NSA surveillance data, by individuals spying on people they clearly shouldn't have been spying on. Many of these examples were classified as "LOVEINT" (a play on the traditional SIGINT -- for signals intelligence) for people who looked up the private information of those in whom they had a romantic interest. Of course, as we've noted, many of these cases were only discovered after the people self-reported the violation -- and some of that happened years later, suggesting many such abuses go undiscovered.

The released report included examples like the following:

In 2011, before an upcoming reinvestigation polygraph, the subject reported that in 2004, "out of curiosity," he performed a SIGINT query of his home telephone number and the telephone number of his girlfriend, a foreign national. The SIGINT system prevented the query on the home number because it was made on a US person. The subject viewed the metadata returned by the query on his girlfriend's telephone.

And:

In 2005, during a pre-retirement reinvestigation polygraph and interview, the subject reported that, in 2003, he tasked SIGINT collection of the telephone number of his foreign-national girlfriend without an authorized purpose for approximately one month to determine whether she was "involved with any [local] government officials or other activities that might get [him] in trouble."

And:

In 2004, upon her return from a foreign site, the subject reported to NSA Security that, in 2004, she tasked a foreign telephone number she had discovered in her husband's cellular telephone because she suspected that her husband had been unfaithful. The tasking resulted in voice collection of her husband.

And:

In 2003, the appropriate OIG was notified that an employee had possibly violated USSID 18. A female foreign national employed by the U.S. government, with whom the subject was having sexual relations, told another government employee that she suspected that the subject was listening to her telephone calls. The other employee reported the incident.

The investigation determined that, from approximately 1998 to 2003, the employee tasked nine telephone numbers of female foreign nationals, without a valid foreign intelligence purpose, and listened to collected phone conversations while assigned to foreign locations. The subject conducted call chaining on one of the numbers and tasked the resultant numbers. He also incidentally collected the communications of a U.S. person on two occasions.

There are more like that as well. Grassley then asked the DOJ, and specifically Attorney General Eric Holder, if the DOJ took any action against these individuals who clearly broke the law in their surveillance activities. The DOJ ignored the request entirely. In January of 2014 (more than a year ago), Grassley asked Holder again during a hearing when he would receive the answer to his question, and Holder again promised he would "do that soon" and that he would provide a "fulsome response to indicate how those cases were dealt with by the Justice Department."

Well, more than a year has gone by and guess whether or not Holder fulfilled that promise? If you guessed no, you'd be right. Grassley has now sent a new letter asking just when he can actually expect an answer, and suggesting it ought to happen soon.

Recently, however, the NSA released heavily redacted quarterly and annual reports by the NSA to the President's Intelligence Oversight Board ("IOB") that also provide information about these
instances of intentional and willful misconduct, as well as other violations by NSA employees,
from 2001 to 2013. In its December 23, 2014 press release, NSA asserted that "in the very few
cases that involved the intentional misuse of a signals intelligence system, a thorough
investigation is completed, the results are reported to the IOB and the Department of Justice as
required, and appropriate disciplinary or administrative action is taken." The NSA even
referenced its public letter to me that discussed the twelve instances of intentional abuse by NSA
employees that led me to write to you back in October 2013.

Respectfully. given the date of my original request, your prior commitment to respond "soon,"
and the recent release of information by the NSA that expressly relies upon the Department of
Justice's further review of these matters, I believe it is appropriate that you respond to my
original request without delay.

from the how-can-anyone-take-them-seriously dept

We partly made this point last week, but I'm kind of in shock that so few people have paid attention to it, it seems worth highlighting again: the NSA revelations last week about the supposed "only" cases of intentional abuse show that there's likely a ton of abuse that went undiscovered. After all, remember that NSA boss Keith Alexander has insisted that its auditing is near perfect:

"The assumption is our people are just out there wheeling and dealing. Nothing could be further from the truth. We have tremendous oversight over these programmes. We can audit the actions of our people 100%, and we do that," he said.

Addressing the Black Hat convention in Las Vegas, an annual gathering for the information security industry, he gave a personal example: "I have four daughters. Can I go and intercept their emails? No. The technical limitations are in there." Should anyone in the NSA try to circumvent that, in defiance of policy, they would be held accountable, he said: "There is 100% audibility."

Given that, you'd assume those twelve cases of intentional (and at times flagrant) abuse of the system, often to spy on "love interests" would have been caught by those audits. But no. By our count, only three out of the twelve were caught by audits. And four of the revelations appear to have been self-reported. And one of the abuses (one of the self-reported ones) happened seven years before the confession.

Given all of this, how can anyone (especially those in charge of the NSA and its oversight) argue that those are the only intentional abuses -- or that their audits can catch everyone? That's clearly untrue because they didn't.